b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n           U.S. Census Bureau\n\n\n   FY 2009 FISMA Assessment\n             of the Field Data\nCollection Automation System\n                      (CEN22)\n                Final Report No. OAE-19728\n                             November 2009\n\n\n\n\n                  Office of Audit and Evaluation\n\x0c                                                    UNITED STATES DEPARTMENT OF COMMERCE\n                                                   Office of Inspector General\n                                                    Washington. D.C. 20230\n\n\n\n\n \'ovember 20, 2009\n\n\nMEMORANDUM FOR: Dr. Robert M. Groves\n                Director\n                U.S. Census Bureau\n\n                            Thomas L. Mesenbourg Jr.\n                            Deputy Director and Chief Operating Officer\n                            U.S. Census Bureau\n\n\n\nFROM:                       Allen Crawley\n                            Assistant Inspector General for Systems Acquisition and IT\n                            Security\n\n\nSUBJECT:                    U.S. Census Bureau\n                            FY 2009 FISMA Assessmen/ of/he Field Da/a Collec/ion\n                            A u/oma/ion System (CEN22)\n                            Final Report No. OAE-19728\n\n\nThis is our report on the results of our Federal Information Security Management Act\n(FISMA) review ofthe bureau\'s certification and accreditation of the Field Data\nCollection Automation (FDCA) system.\n\nWe found that the authorizing official incorrectly detem1ined that the risks identified by\nthe certification agent were low at the time the authorization to operate was granted.\nGiven that FDCA is mission critical and was needed to support decennial field operations\nthat could not be delayed, the authorizing official should have extended the April 17,\n2009, interim authorization to operate, rather than granting a full authorization. This\nwould have allowed the system to operate under specific tem1S and conditions, while\nacknowledging greater risk to the agency for a specified period of time. We recognize the\ncritical need for FDCA to continue to operate and provide support to decennial census\noperations, and thus have made recommendations to provide increased assurance that the\nsystem and its information will be adequately protected for the duration of the decennial\ncensus.\n\nAt the time the system was authorized, progress in correcting numerous and signi ficant\nvulnerabilities was minimal. The certification agent noted that security features providing\n\x0clayers of security redundancy could compensate for numerous vulnerabilities; however,\nour assessment of the compensating security features determined they were in fact not\neffectively protecting the system.\n\nOur review also found that FDCA\xe2\x80\x99s system security plans and security control\nassessments were generally adequate, but need improvement. We also found that the\nbureau has not established, implemented, and assessed secure configuration settings for\nall IT products that are part of FDCA.\n\nIn its response to our draft report, Census concurred with all our findings and all but one\nof our recommendations; however, we find Census\xe2\x80\x99 planned action to address this\nrecommendation is reasonable and responsive. Census\xe2\x80\x99s response is summarized in the\nappropriate sections of the report and is included in its entirety as appendix A.\n\nWe request that you provide us, within 60 calendar days of the date of this report, with an\naction plan describing the actions you have taken or plan to take in response to our\nrecommendations. As required by FISMA, a plan of action and milestones should be used\nto communicate the plan.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during our\nevaluation. If you would like to discuss any of the issues raised in this report, please call\nme at (202) 482-1855.\n\n\nAttachment\n\ncc:   Suzanne Hilding, Chief Information Officer, U.S. Department of Commerce\n      Arnold A. Jackson, associate director for decennial census, U.S. Census Bureau\n      Brian E McGrath, associate director for information technology and chief\n          information officer, U.S. Census Bureau\n      Patricia McGuire, program manager for field data collection automation program\n          management office, U.S. Census Bureau\n      Timothy P. Ruland, chief, information technology office, U.S. Census Bureau\n      Adam C. Miller, Census audit liaison\n\x0c                                  Report In Brief\n                                       U.S. Department of Commerce, Office of Inspector General\n                                                            November 2009\n\nWhy We Did This Review U.S. Census Bureau\nThe Federal Information\nSecurity Management Act of           FY 2009 FISMA Assessment of the Field Data Collection\n2002 (FISMA) requires federal\nagencies to identify and provide\n                                     Automation System (OAE-19728)\nsecurity protection of informa-\ntion collected or maintained by      What We Found\nit or on its behalf. Inspectors\ngeneral are required to annually     We evaluated certification and accreditation activities for the Field Data Collection\nevaluate agencies\xe2\x80\x99 information       Automation (FDCA) system as part of our FY 2009 reporting responsibilities under the\nsecurity programs and practices.     Federal Information Security Management Act (FISMA).\nSuch evaluations must include\ntesting of a representative subset   On April 17, 2009, FDCA was granted an interim authorization to operate, allowing\nof systems and an assessment,        the system to operate under specific terms and conditions while vulnerabilities were\nbased on that testing, of the        assessed and corrected. On June 17, 2009, the authorizing official granted full operation\nentity\xe2\x80\x99s compliance with FISMA       of FDCA, even though at the time Census had made only minimal progress in correct-\nand applicable requirements.         ing system weaknesses. We found that the authorizing official should have extended the\n                                     interim authorization to operate rather than issuing a full authorization.\nThis review covers our evalu-\nation of the Census Bureau\xe2\x80\x99s         Our review also found that FDCA\xe2\x80\x99s system security plans and security control assess-\nFDCA system, which is one of a       ments were generally adequate, but need improvement. The bureau has not established,\nsample of systems we assesed in      implemented, and assessed secure configuration settings for all IT products that are part\nFY 2009.                             of FDCA.\n\n\n\n\nBackground\nFDCA is a contractor-designed\nsystem used by Census field          What We Recommend\nworkers to collect, process,\nand secure information for the\n                                     We recognize the need for FDCA to continue to operate and provide support to decen-\ndecennial census. The FDCA\n                                     nial census operations, so our recommendations are intended to provide increased assur-\nsystem provides essential IT\n                                     ance that the system and its information will be adequately protected for the duration of\nsupport for census field opera-\n                                     the decennial census.\ntions.\n                                     Census agreed with our findings and all but one of our recommendations. It partially\nC&A is a process by which\n                                   concurred with this recommendation and described a reasonable and responsive alterna-\nsecurity controls for IT sys-\n                                   tive corrective action.\ntems are assessed to determine\ntheir overall effectiveness.\nUnderstanding the remaining\nvulnerabilities identified during\nthe assessment is essential in\ndetermining the risk to the orga-\nnization\xe2\x80\x99s operations and assets,\nto individuals, to other organiza-\ntions, and to the nation resulting\nfrom the use of the system.\n\x0c                        OIG FY 2009 FISMA Assessment\n\nListing of Abbreviated Terms and Acronyms\n\nC&A         certification and accreditation\nCIS         Center for Internet Security\nCM          configuration management\nDBMS        database management system\n\n\nDPC         data processing center\nFDCA        Field Data Collection Automation\nFISMA       Federal Information Security Management Act of 2002\nFOS         field operation supervisors\nHHC         hand-held computers\n\n\nIT          information technology\nLCO         Local Census Office\nNIST SP     National Institute of Standards and Technology Special Publication\nOIG         Office of Inspector General\nPOA&M       plan of action and milestones\nSA          system administrator\nSAR         security assessment report\n\n\nSSP         system security plan\n\n\n\n\n                                     Page 1\n\x0c                                 OIG FY 2009 FISMA Assessment\n\nSynopsis of Findings\n\n  \xe2\x80\xa2   System security plans were generally adequate, but some minor improvements are\n      needed.\n\n  \xe2\x80\xa2   Census has not established, implemented, and assessed secure configuration settings\n      for all IT products.\n\n  \xe2\x80\xa2   Security control assessments were generally adequate, but improvements are needed.\n\n  \xe2\x80\xa2   OIG control assessment found vulnerabilities requiring remediation.\n\n  \xe2\x80\xa2   Overstatement of compensating security features and downplaying numerous\n      vulnerabilities led to an ill-advised and inappropriate authorization decision.\n\nConclusion\n\nWe concluded that the decisions to recommend and grant an authorization to operate were\ninappropriate. But given the field data collection automation (FDCA) system\xe2\x80\x99s requirement to\nsupport decennial field operations on a fixed schedule, the authorizing official should have\nextended the April 17, 2009, interim authorization to operate.\n\nThe certification agent\xe2\x80\x99s recommendation to grant an authorization to operate was flawed\nbecause the progress in correcting numerous and significant vulnerabilities. In general, the\ncertification agent did comprehensively assess security controls and identify numerous high-\nrisk vulnerabilities.\n\n                                  The agent noted that security features providing layers of\nsecurity redundancy could compensate for numerous vulnerabilities; however, our\nassessment of the compensating security features determined they were in fact not effectively\nprotecting the system. The agent cited mission criticality as a factor in the recommendation.\nHowever, National Institute of Standards and Technology Special Publication (NIST SP 800-\n37) states that if the authorizing official deems that the risk is unacceptable, but there is an\noverarching mission necessity to place the information system into operation, an interim\nauthorization to operate may be issued. An interim authorization provides a limited\nauthorization to operate the information system under specific terms and conditions and\nacknowledges greater risk to the agency for a specified period of time.\n\nThe authorizing official incorrectly determined that the risks identified by the certification\nagent were low, and inappropriately granted the authorization to operate. Information\nconcerning the high-risk vulnerabilities identified during the certification assessment, the\ncompensating security features, and the progress made on remediating vulnerabilities were\nprovided to the authorizing official. At the exit conference, the authorization official indicated\nhe believed the decision to grant the June 17, 2009, authorization to operate was his only\noption to allow FDCA to remain in operation. However, as discussed previously, the interim\nauthorization should have been extended.\n\n\n\n\n                                              Page 2\n\x0c                                   OIG FY 2009 FISMA Assessment\n\nSummary of Census Response\n\nIn its response to our draft report, Census concurred with all of our findings and all but one of our\nrecommendations. It partially concurred with this recommendation and described alternative\ncorrective action. Census also identified actions it will take to address our other findings and\nrecommendations.\n\nOIG Comments\n\nAfter reviewing Census\xe2\x80\x99s planned action to address the recommendation it partially concurred\nwith, we conclude that it is reasonable and responsive to the recommendation.\n\nWe address specific elements of Census\xe2\x80\x99s response in the applicable sections of the report and\ninclude the full response as appendix A.\n\n\n\n\n                                               Page 3\n\x0c                                OIG FY 2009 FISMA Assessment\n\nIntroduction\nThe FDCA system provides essential IT support for census field operations. The bureau is\nusing this contractor-developed system to collect, process, and secure information for the\ndecennial census.\n\nCensus has categorized FDCA as a                  system, which means that a security\nbreach could have a              effect on organizational operations, organizational\nassets, or individuals.\n\nThe OIG previously evaluated the FY 2008 dress rehearsal certification and May 30, 2007,\naccreditation of this system. In a report issued September 29, 2008, we concluded that:\n\n \xe2\x80\xa2    Census needed to improve security control assessments to assure that controls are\n      implemented correctly, operating as intended, and meeting the security requirements\n      for the system; and\n \xe2\x80\xa2    the authorizing official had not been provided the necessary information to make a\n      credible, risk-based accreditation decision.\n\nTo meet the FY 2009 Federal Information Security Management Act (FISMA) reporting\nrequirements, we evaluated the Census Bureau certification and accreditation (C&A) for the\nFDCA system (CEN22). For a complete outline of our objectives, scope, and methodology,\nsee appendix B. FDCA is a critical system supporting the decennial address canvassing field\noperation. This evaluation addresses FDCA\xe2\x80\x99s C&A completed on June 17, 2009.\n\nCertification & Accreditation Timeline\n\nFrom May 2007 to June 2009, FDCA underwent a phased C&A process to permit operating\nthe portions of the system necessary to prepare for and conduct decennial census activities,\neven though the development of the full FDCA system was incomplete. The list below\nprovides a chronology of C&A activities during this time period.\n\n \xe2\x80\xa2    May 30, 2007 \xe2\x80\x93 Authorization to operate granted to support decennial census dress\n      rehearsal.\n\n \xe2\x80\xa2    January 2, 2008 \xe2\x80\x93 Authorization to operate granted to include the operation of a new\n      data processing center 2 (DPC2) until September 30, 2009.\n\n \xe2\x80\xa2    As a result of changing scope of the FDCA contract, many architectural changes\n      mandated by Census, and the addition of new functionality, it became necessary to\n      recertify and reaccredit the entire system.\n\n \xe2\x80\xa2    October 9, 2008 \xe2\x80\x93 Authorization to operate granted until January 2009 to continue\n      system development and move into the production phase for address canvassing\n      activities. DPC2 was not included in this authorization.\n        o Certification assessments were incomplete.\n        o Fifty-seven vulnerabilities were recorded on the system plan of action and\n              milestones (POA&M).\n\n \xe2\x80\xa2    February 20, 2009 \xe2\x80\x93 Certification assessments were reported as completed.\n\n \xe2\x80\xa2    April 3, 2009 \xe2\x80\x93 Authorization granted to operate DPC2 until April 17, 2009, to support\n      address canvassing begun on March 30, 2009.\n\n\n                                            Page 4\n\x0c                             OIG FY 2009 FISMA Assessment\n      o   The certification status and recommendation memo acknowledges that\n          certification assessments reported as complete on February 20, 2009, actually\n          have not been completed and are still underway. Incomplete assessments\n          include DPC2 components.\n\n\xe2\x80\xa2   April 17, 2009 \xe2\x80\x93 Interim authorization to operate granted until June 17, 2009, for\n    continuation of address canvassing activities.\n      o Although certification tests are completed, the Information Technology Security\n           Office is still assessing the information obtained from testing.\n\n\xe2\x80\xa2   April 22, 2009 \xe2\x80\x93 Certification status memo explains that certification assessments have\n    been completed.\n      o Approximately 1,100 vulnerabilities are acknowledged; this number is considered\n           \xe2\x80\x9cvery high\xe2\x80\x9d by the certification agent.\n      o An approval to operate (non-interim) will not be granted until the vulnerabilities\n           and the lack of sound documentation have been addressed.\n\n\xe2\x80\xa2   June 17, 2009 \xe2\x80\x93 Authorization to operate all aspects of the FDCA system is granted.\n      o The authorizing official explains that residual risks to the system are low.\n      o Authorization will expire June 17, 2012.\n\n\n\n\n                                         Page 5\n\x0c                                 OIG FY 2009 FISMA Assessment\nFindings and Recommendations\n\n 1. System Security Plans Were Generally Adequate, but Some Minor\n    Improvements Are Needed\n\n   \xe2\x80\xa2   The initial security plan was approved at the conclusion of the C&A initiation phase on\n       January 13, 2008. The plan was updated June 5, 2009, and provided to the authorizing\n       official. Both plans were generally adequate. Our evaluation found that both plans\n       include\n          o system descriptions that provide a clear overview of the system architecture and\n               functionality;\n          o applicable security control enhancements and organization-defined parameters\n               necessary for tailoring security controls;\n          o adequate descriptions of planned portions of security controls; and\n          o descriptions of how security controls are implemented across the diverse\n               components included in the system accreditation boundary.\n\n   \xe2\x80\xa2   However, both plans include minor deficiencies that need to be corrected (see table 1):\n        o The initial security plan had minor deficiencies that impacted the assessment of\n           two security control enhancements during the certification.\n        o The updated security plan provided to the authorizing official has minor\n           deficiencies in security control descriptions. The deficiencies may impact the\n           quality of future continuous monitoring assessments.\n\n Recommendation\n\n 1.1 Census should ensure that security plan deficiencies in table 1 are corrected.\n\n\n\nCensus Response\n\nCensus concurred with this finding and our recommendation.\n\n\n\n\n                                             Page 6\n\x0c                              OIG FY 2009 FISMA Assessment\n\n2. Census Has Not Established, Implemented, and Assessed Secure\n   Configuration Settings for All IT Products\nBackground: Our FY 2008 report on FDCA, FY 2008 FISMA Assessment of Field Data\nCollection Automation System (CEN22), found that \xe2\x80\x9csecure configuration settings were\ndefined and assessed for some IT products, but improvements are needed.\xe2\x80\x9d\n\nWe recommended that \xe2\x80\x9cCensus should ensure that secure configuration settings are defined,\nimplemented, and assessed for all IT products in the system accreditation boundary in\naccordance with NIST SP 800-70, Security Configuration Checklists Program for IT\nProducts.\xe2\x80\x9d\n\nIn response to our report, Census provided an action plan that included a POA&M item to\nimplement the recommendation by May 29, 2009. We concurred with the action plan.\n\n \xe2\x80\xa2   Census did not follow its action plan to fully implement secure configuration settings.\n      o FDCA now has secure configuration settings established for fewer IT products\n          than in the previous year.\n            \xc2\x83 Our FY 2008 evaluation of FDCA found secure configuration settings were\n                established for 10 out of 13 IT products.\n            \xc2\x83 Currently, only the following 8 of 47 IT products have adequately\n                established secure configuration settings.\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n            \xc2\x83 Significant examples of the 39 IT products that did not have established\n                settings are\n                   \xe2\x80\xa2\n\n                   \xe2\x80\xa2\n\n\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n             \xc2\x83   The FDCA system changed significantly since the May 30, 2007,\n                 authorization to operate. Therefore, the established secure configuration\n                 settings were no longer accurate, resulting in fewer established settings. In\n                 addition, many more IT products were added to the system, resulting in the\n                 change from 13 to 47 total IT products.\n             \xc2\x83   The security assessment report (SAR) and POA&M fully informed the\n                 authorizing official concerning the lack of secure configuration settings.\n\n\n\n\n                                          Page 7\n\x0c                                OIG FY 2009 FISMA Assessment\n\n   \xe2\x80\xa2   Secure configuration settings were assessed for seven of the eight IT products that had\n       adequate secure configuration settings established. However, the secure configuration\n       settings for                     were not assessed because the certification team did\n       not consider the settings documented sufficiently to perform an assessment.\n         o However, the secure configuration settings for this product were identified,\n              necessary deviations were documented, and justifications for deviations were\n              included. Therefore, these secure configuration settings were established enough\n              to assess, and they should have been assessed.\n\n Recommendation\n\n 2.1 Census should ensure that secure configuration settings are established, implemented,\n     and assessed for all IT products in the system accreditation boundary in accordance with\n     NIST SP 800-70, Security Configuration Checklists Program for IT Products.\n\n\n\nCensus Response\n\nCensus concurred with this finding and our recommendation.\n\n\n\n\n                                            Page 8\n\x0c                               OIG FY 2009 FISMA Assessment\n\n3. Security Control Assessments Were Generally Adequate, but\n   Improvements Are Needed\n \xe2\x80\xa2   Security control assessment results were generally supported by adequate evidence.\n\n \xe2\x80\xa2   Vulnerabilities identified during assessments were reported to the authorizing official via\n     the SAR and the POA&M.\n\n \xe2\x80\xa2   Assessment procedures were generally tailored to the system specific implementation\n     of security controls.\n\n \xe2\x80\xa2   Security control assessments included most IT products that implement security\n     controls.\n       o However, assessments were not performed on a representative set of some\n           components even though the certification team was aware that these\n           assessments were lacking:\n              \xc2\x83                          at Local Census Offices (LCOs); this issue was\n                 reported in the SAR.\n              \xc2\x83\n\n             \xc2\x83                           were not included in all assessments for the\n                 following controls because assessment scanning did not include them.\n                 However, it is important to note that these assessments were performed for\n                 similarly configured non-production                         POA&M item\n                 1284 addresses this issue.\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n                   \xe2\x80\xa2\n\n \xe2\x80\xa2   Results for 34 of the 182 security control assessments we evaluated were not adequate\n     (see table 2 for examples).\n\n \xe2\x80\xa2   No assessments were performed to determine if the                        was\n     implemented on the network switches and firewalls that rely on\n                                                                               .\n       o   The FDCA switches and firewalls rely on              servers to implement\n           requirements for the following security controls.\n             \xc2\x83\n             \xc2\x83\n             \xc2\x83\n             \xc2\x83\n             \xc2\x83\n             \xc2\x83\n\n\n                                            Page 9\n\x0c                                 OIG FY 2009 FISMA Assessment\n               \xc2\x83\n               \xc2\x83\n         o   However,            was not implemented on one of the switches or on the web\n             console interface for two firewalls.\n\n   \xe2\x80\xa2   Some security control assessment evidence collected during security certification was\n       not collected by an independent assessor.\n         o In late February 2009, Census determined that some security control\n             assessments were incomplete or inadequate.\n         o To correct missing and inadequate assessments, Census requested that the\n             FDCA system administration staff produce and deliver evidence such as\n             screenshots, audit logs, and configurations for 21 of 47 system components.\n                \xc2\x83 The collection of evidence was not observed by an independent assessor,\n                    such as a member of the certification team.\n         o However, it is unlikely that the integrity of the evidence was compromised during\n             this certification because\n                \xc2\x83 the evidence clearly depicted numerous system vulnerabilities, and\n                \xc2\x83 the FDCA configuration management process prohibits even minor\n                    changes without approval of one or more change control oversight groups,\n                    thus reducing the likelihood that temporary configuration changes were\n                    made to produce more favorable evidence.\n\n Recommendations\n\n Census should ensure that\n\n 3.1 security control assessments for certification are completed before making certification\n     recommendations; and\n 3.2 the collection of evidence to support certification assessments is performed by an\n     independent assessor.\n\n\n\nCensus Response\n\nCensus concurred with this finding and our recommendations.\n\n\n\n\n                                            Page 10\n\x0c                                 OIG FY 2009 FISMA Assessment\n\n 4. OIG Control Assessment Found Vulnerabilities Requiring\n    Remediation\n As part of OIG\xe2\x80\x99s FY 2009 FISMA evaluation of the FDCA system, we selected and assessed\n system components and security controls that would allow us to determine the effectiveness\n of security features that the certification agent noted provide layers of security redundancy.\n\n   \xe2\x80\xa2   We found the following weaknesses (see table 3).\n        o\n              \xc2\x83\n              \xc2\x83\n              \xc2\x83\n\n         o\n               \xc2\x83\n\n               \xc2\x83\n\n               \xc2\x83\n\n         o\n               \xc2\x83\n               \xc2\x83\n         o\n               \xc2\x83\n               \xc2\x83\n         o\n               \xc2\x83\n\n Recommendation\n\n 4.1 Census should ensure the vulnerabilities we identified in table 3 are added to the\n     system\xe2\x80\x99s POA&M and either remediated or accepted by the authorizing official.\n\n\n\nCensus Response\n\nCensus concurred with this finding and our recommendation.\n\n\n\n\n                                            Page 11\n\x0c                                OIG FY 2009 FISMA Assessment\n\n5. Overstating Compensating Security Features and Downplaying\n   Numerous Vulnerabilities Led to an Ill-Advised and Inappropriate\n   Authorization Decision\nBackground: The certification recommendation of June 17, 2009, acknowledges numerous\nand significant vulnerabilities. The SAR includes the following:\n\n  \xe2\x80\xa2   261 high-impact vulnerabilities represented by 16 distinct weaknesses affecting\n      numerous IT products (for example, the occurrence of the same weakness on 35\n      different IT products resulted in 35 vulnerabilities)\n         o Impact statements for these weaknesses indicate that\n               \xc2\x83\n               \xc2\x83\n\n              \xc2\x83\n\n  \xe2\x80\xa2   348 moderate-impact vulnerabilities represented by 20 distinct weaknesses affecting\n      numerous IT products\n        o Impact statements for these weaknesses indicate that\n             \xc2\x83\n             \xc2\x83\n             \xc2\x83\n             \xc2\x83\n\nThe certification recommendation points out that in spite of these deficiencies, layers of\nsecurity redundancy and enhanced security features often compensate for other less-secure\nfeatures (see appendix C, section 1, for the recommendation\xe2\x80\x99s text describing these\ncompensating security features).\n\nIn communications with the OIG, the FDCA certification agent further explained what specific\nfeatures compensate for the numerous remaining deficiencies (see appendix C, section 2, for\nthe certification agent\xe2\x80\x99s statement).These features can be categorized into two sets. The\ncertification agent stated that the first set, which consists of the following features, reduces\nthe likelihood that compromise to low priority applications can be escalated into an attack\nagainst the system:\n\n        \xc2\x83\n        \xc2\x83\n        \xc2\x83\n\nHe further stated that the second set, consisting of the following features, makes it much\nmore difficult to obtain sensitive FDCA data:\n\n        \xc2\x83\n        \xc2\x83\n        \xc2\x83\n        \xc2\x83\n\n  \xe2\x80\xa2   Our assessment of security controls, coupled with certification findings, shows only\n      three of the seven security features compensating for numerous system vulnerabilities\n      are in place:\n        o\n\n\n\n\n                                            Page 12\n\x0c                              OIG FY 2009 FISMA Assessment\n      o\n      o\n\n\xe2\x80\xa2   We concluded that four of the security features identified as compensating for\n    numerous system vulnerabilities were overstated and are not fully in place.\n      o\n           \xc2\x83\n\n\n\n\n      o\n            \xc2\x83\n\n\n\n\n      o\n            \xc2\x83\n\n\n\n\n      o\n            \xc2\x83\n\n\n\n\n\xe2\x80\xa2   FDCA is mission critical and required to support decennial field operations whose\n    schedule could not be delayed; therefore, it should have been permitted to operate with\n    an interim rather than full authorization because of the minimal progress in correcting\n    numerous and significant vulnerabilities.\n      o In the certification recommendation memo, the certification agent explained, \xe2\x80\x9cAs\n           a result of my review of the completed C&A package and given both the mission-\n           criticality of the system and the progress made by the FDCA team on correcting\n           identified system vulnerabilities, I recommend this system be issued an\n           authorization to operate from the date of this memo through June 17, 2012.\xe2\x80\x9d\n             \xc2\x83 Although the mission criticality of a system is relevant to the decision to\n                  issue an interim authorization to operate, it should not be used to support a\n                  decision to approve full authorization.\n             \xc2\x83 NIST 800-37 states that an authorization to operate is issued when \xe2\x80\x9cthe\n                  authorizing official deems that the risk to agency operations, agency\n                  assets, or individuals is acceptable,\xe2\x80\x9d whereas interim authorizations to\n                  operate are issued when \xe2\x80\x9crisk to agency operations, agency assets, or\n                  individuals is unacceptable, but there is an overarching mission necessity\n                  to place the system into operation, or continue its operation.\xe2\x80\x9d\n\n\n\n                                          Page 13\n\x0c                                    OIG FY 2009 FISMA Assessment\n            o   Progress correcting numerous and significant vulnerabilities was minimal.\n                  \xc2\x83 In a certification status memo issued on April 22, 2009, the certification\n                     agent informed the authorizing official that approximately 1,100 findings\n                     resulted in formal POA&Ms (approximately 290 high-, 350 moderate-, and\n                     480 low-risk POA&Ms). The certification agent considered this number very\n                     high.\n                  \xc2\x83 The June 17, 2009, certification memo explained that only 164 of these\n                     POA&Ms (83 high-, 8 moderate-, and 73 low-risk POA&Ms) had been\n                     corrected.1\n\n     \xe2\x80\xa2    In spite of numerous and significant deficiencies, the authorizing official asserted in the\n          memo granting authorization to operate that the risks to agency operations, agency\n          assets, or individuals resulting from the operation of the information system were low.\n             o Certification security control assessment results found that most of the security\n                 controls are either not in place or are not operating effectively.\n                   \xc2\x83 Only 638 out of 1,781 instances of security controls implemented on\n                        applicable IT products were in place and operating effectively.\n             o The certification agent informed the authorizing official that numerous\n                 vulnerabilities remained.\n                   \xc2\x83 Although some progress to correct outstanding POA&Ms had been made,\n                        it does not justify labeling system operation risk as low.\n\n    Recommendations\n\n    Census should\n\n    5.1 verify the effectiveness of security features before stating they compensate for known\n        weaknesses and thereby reduce overall system risk; and\n    5.2 report FDCA\xe2\x80\x99s accreditation status as an interim authorization to operate and specify\n        appropriate terms and conditions to remediate identified high-risk vulnerabilities, or\n        ensure the security features compensating for known vulnerabilities are working\n        effectively.\n\n\n\nCensus Response\n\nCensus concurred with this finding but only partially concurred with our second recommendation\nto report FDCA\xe2\x80\x99s accreditation status as an interim authorization to operate. In its response,\nCensus explained that it concurs with our recommendation based on our observation, but states\nthat since the Authority to Operate was granted, significant progress has been made in\naddressing the vulnerabilities noted. In addition, the authorizing official is briefed weekly on the\nprogress of correcting the remaining vulnerabilities. As an alternative to our recommendation,\nCensus explained its planned corrective action: if after 90 days, the authorizing official feels that\nadequate progress has not been made, the authorization to operate will be rescinded and an\ninterim authorization to operate will be issued.\n\nOIG Comments\n\nAfter reviewing Census\xe2\x80\x99s planned action to address the recommendation, we conclude that the\naction is reasonable and responsive.\n\n\n\n1\n Following the exit conference, Census provided details showing that as of September 25, 2009, 368 out of\n1172 POA&Ms (114 high-, 91 moderate-, and 163 low-risk POA&Ms) have been corrected.\n\n                                                Page 14\n\x0c                                                 OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 1. Deficiencies in System Security Plans\nControl             NIST SP 800-53 Requirement                                       Deficiencies\n                                                             Initiation Phase Plan         Certification Phase Plan\n\n\n\n\n                                                                                                                      .\n\n\n\n\n                                                           Page 15\n\x0c                                                 OIG FY 2009 FISMA Assessment\n\n\n\nTable 1. Deficiencies in System Security Plans\nControl             NIST SP 800-53 Requirement                                       Deficiencies\n                                                             Initiation Phase Plan         Certification Phase Plan\n\n\n\n\n                                                                                                                      .\n\n\n\n\n                                                           Page 16\n\x0c                                                 OIG FY 2009 FISMA Assessment\n\n\n\nTable 1. Deficiencies in System Security Plans\nControl             NIST SP 800-53 Requirement                                       Deficiencies\n                                                             Initiation Phase Plan         Certification Phase Plan\n\n\n\n\n                                                           Page 17\n\x0c                                                  OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Examples of Inadequate Assessment Procedures.\nControl                    NIST 800-53        Assessment Results (Full Quotation)   IT        OIG Comments\n                           Requirement                                              Product\n\n\n\n\n                                                            Page 18\n\x0c                                                  OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Examples of Inadequate Assessment Procedures.\nControl                    NIST 800-53        Assessment Results (Full Quotation)   IT        OIG Comments\n                           Requirement                                              Product\n\n\n\n\n                                                            Page 19\n\x0c                                                  OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Examples of Inadequate Assessment Procedures.\nControl                    NIST 800-53        Assessment Results (Full Quotation)   IT        OIG Comments\n                           Requirement                                              Product\n\n\n\n\n                                                            Page 20\n\x0c                                                  OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Examples of Inadequate Assessment Procedures.\nControl                    NIST 800-53        Assessment Results (Full Quotation)   IT        OIG Comments\n                           Requirement                                              Product\n\n\n\n\n                                                            Page 21\n\x0c                                                  OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Examples of Inadequate Assessment Procedures.\nControl                    NIST 800-53        Assessment Results (Full Quotation)   IT        OIG Comments\n                           Requirement                                              Product\n\n\n\n\n                                                            Page 22\n\x0c                                                    OIG FY 2009 FISMA Assessment\n\n\n\nTable 3. Vulnerabilities Found by OIG Assessment.\nControl             IT Product      Vulnerability\n\n\n\n\n                                                              Page 23\n\x0c                                                    OIG FY 2009 FISMA Assessment\n\n\n\nTable 3. Vulnerabilities Found by OIG Assessment.\nControl             IT Product      Vulnerability\n\n\n\n\n                                                              Page 24\n\x0c                       OIG FY 2009 FISMA Assessment\n\n\nAppendix A: Census\xe2\x80\x99s Response to Findings\n\n\n\n\n                                 Page 25\n\x0cOIG FY 2009 FISMA Assessment\n\n\n\n\n          Page 26\n\x0cOIG FY 2009 FISMA Assessment\n\n\n\n\n          Page 27\n\x0cOIG FY 2009 FISMA Assessment\n\n\n\n\n          Page 28\n\x0cOIG FY 2009 FISMA Assessment\n\n\n\n\n          Page 29\n\x0cOIG FY 2009 FISMA Assessment\n\n\n\n\n          Page 30\n\x0cOIG FY 2009 FISMA Assessment\n\n\n\n\n          Page 31\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\nAppendix B: Objectives, Scope, and Methodology\n\nTo meet the FY 2009 Federal Information Security Management Act (FISMA) reporting\nrequirements, we evaluated the Census Bureau\xe2\x80\x99s certification and accreditation (C&A) for the\nField Data Collection Automation (FDCA) system (CEN22).\nSecurity C&A packages contain three elements, which form the basis of an authorizing\nofficial\xe2\x80\x99s decision to accredit a system:\n\n    \xe2\x80\xa2   The system security plan describes the system, the requirements for security\n        controls, and the details of how the requirements are being met. The security plan\n        provides a basis for assessing security controls and also includes other documents\n        such as the system risk assessment and contingency plan, per Department policy.\n    \xe2\x80\xa2   The security assessment report presents the results of the security assessment\n        and recommendations for correcting control deficiencies or mitigating identified\n        vulnerabilities. This report is prepared by the certification agent.\n    \xe2\x80\xa2   The plan of action and milestones is based on the results of the security\n        assessment. It documents actions taken or planned to address remaining\n        vulnerabilities in the system.\n\nThe Department\xe2\x80\x99s IT Security Program Policy and Minimum Implementation Standards\nrequires that C&A packages contain a certification documentation package of supporting\nevidence of the adequacy of the security assessment. Two important components of this\ndocumentation are\n\n    \xe2\x80\xa2   the certification test plan, which documents the scope and procedures for testing\n        (assessing) the system\xe2\x80\x99s ability to meet control requirements; and\n    \xe2\x80\xa2   the certification test results, which are the raw data collected during the\n        assessment.\n\nTo evaluate the C&A, we reviewed all components of the C&A package and interviewed\nCensus staff and contractors to clarify any apparent omissions or discrepancies in the\ndocumentation and to gain further insight on the extent of the security assessment. We\nevaluated the security plan and assessment results for applicable security controls and will\ngive substantial weight to the evidence that supports the rigor of the security assessment\nwhen reporting our findings to OMB.\n\nIn addition, we performed our own assessment of a targeted selection of controls (see\nappendix B-1). We conducted our assessment using a subset of procedures from National\nInstitute of Standards and Technology Special Publication (NIST SP) 800-53A, which we\ntailored to FDCA\xe2\x80\x99s specific control implementations. We did not attempt to perform a\ncomplete assessment of each control; instead, we chose to focus on specific technical and\noperational elements.\n\nWe assessed controls on key classes of IT components, choosing a targeted set of\ncomponents from each class that would allow us to determine the effectiveness of security\nfeatures that the certification agent noted provide layers of security redundancy. We\nassessed configuration settings on operating systems including\n\nWe also assessed configurations on IT products including\n                           We also included an examination of\n\n\n\n\n                                           Page 32\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\n\nOur assessment included the following activities:\n\n    \xe2\x80\xa2   extraction, examination, and verification of system configurations\n    \xe2\x80\xa2   execution of scripts and manual checklists\n    \xe2\x80\xa2   examination of system logs\n    \xe2\x80\xa2   review of account management procedures\n    \xe2\x80\xa2   examination/analysis of security plan descriptions, including related policy and\n        procedure documents\n    \xe2\x80\xa2   interviews of appropriate Census personnel and contractors\n\nOur assessment was limited in scope and should not be interpreted as the comprehensive\nreview that a security certification for a                system would require. It gave us\ndirect assurance of the status of select aspects of important system controls and provided\nmeaningful comparison to Census\xe2\x80\x99s security certification.\n\nWe used the following review criteria:\n\n    \xe2\x80\xa2   Federal Information Security Management Act of 2002\n    \xe2\x80\xa2   U.S. Department of Commerce IT Security Program Policy and Minimum\n        Implementation Standards, June 30, 2005\n    \xe2\x80\xa2   NIST Federal Information Processing Standards\n          o Publication 199, Standards for Security Categorization of Federal Information\n              and Information Systems\n          o Publication 200, Minimum Security Requirements for Federal Information and\n              Information Systems\n    \xe2\x80\xa2   NIST Special Publications:\n          o 800-18, Guide for Developing Security Plans for Information Technology\n              Systems\n          o 800-37, Guide for the Security Certification and Accreditation of Federal\n              Information Systems\n          o 800-53, Recommended Security Controls for Federal Information Systems\n          o 800-53A, Guide for Assessing the Security Controls in Federal Information\n              Systems\n          o 800-70, Security Configuration Checklists Program for IT Products\n          o 800-115, Technical Guide to Information Security Testing and Assessment\n\nWe conducted our evaluation in accordance with the Inspector General Act of 1978, as\namended, and the Quality Standards for Inspections (revised January 2005), issued by the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency.\n\n\n\n\n                                           Page 33\n\x0c                            OIG FY 2009 FISMA Assessment\n\n\n\nAppendix B-1: NIST SP 800-53 Security Controls Assessed by OIG\n\n  \xe2\x80\xa2   AC-2 Account Management\n  \xe2\x80\xa2   AC-6 Least Privilege\n  \xe2\x80\xa2   AC-7 Unsuccessful Login Attempts\n  \xe2\x80\xa2   AC-11 Session Lock\n  \xe2\x80\xa2   AC-17 Remote Access\n  \xe2\x80\xa2   AU-2 Auditable Events\n  \xe2\x80\xa2   AU-4 Audit Storage Capacity\n  \xe2\x80\xa2   AU-6 Audit Monitoring, Analysis, and Reporting\n  \xe2\x80\xa2   AU-8 Time Stamps\n  \xe2\x80\xa2   AU-9 Protection of Audit Information\n  \xe2\x80\xa2   CM-6 Configuration Settings\n  \xe2\x80\xa2   CM-7 Least Functionality\n  \xe2\x80\xa2   IA-2 User Identification and Authentication\n  \xe2\x80\xa2   IA-5 Authenticator Management\n  \xe2\x80\xa2   SC-7 Boundary Protection\n  \xe2\x80\xa2   SI-2 Flaw Remediation\n  \xe2\x80\xa2   SI-3 Malicious Code Protection\n\n\n\n\n                                        Page 34\n\x0c                                 OIG FY 2009 FISMA Assessment\n\n\nAppendix C: Certification Agent Statements Concerning Compensating\nSecurity Features\n\nSection 1: Statement describing compensating security features, taken as an excerpt from the\nJune 17, 2009, certification recommendation sent to the authorizing official:\n\n      In spite of the remaining deficiencies, the generally well-designed and centrally\n      managed FDCA architecture has layers of security redundancy that partially\n      mitigate the potential damage possible during a security breach. In many cases,\n      security mechanisms much stronger than those required by FISMA were\n      leveraged to accomplish functions\n                              These enhanced security features, such as\n\n                                  often compensated for other less secure features\n      deployed elsewhere in the environment.\n\nSection 2: Statement describing compensating security features, taken as an excerpt from\nJuly 23, 2009, e-mail communication with the OIG:\n\n      The "enhanced security features" mentioned in paragraph 12 of the certification\n      memo act as compensatory mechanisms for some of the weaker elements\n      deployed in the FDCA environment by limiting the potential damage from an\n      exploitation of system vulnerabilities rather than by providing directly equivalent\n      security controls for the weak components. When viewed from an overall system\n      risk perspective,\n                   implemented on the core infrastructure components of the FDCA\n      system serve to reduce the likelihood that an attempt to compromise a low\n      priority application           could be escalated into an attack against the\n      system as a whole.\n\n      While the individual component may suffer a compromise of low-impact data, the\n      more sensitive information related to the Census mission is much more difficult to\n      obtain. Access to that type of information is controlled, in most part, by the\n      server, database,            and telecom environments. Although these\n      environments may not have formally completed the\n      required by the bureau, they have implemented a                      that not only\n      implements additional security controls not required by FISMA, but it is also\n      effectively managed by a thorough and timely          process. For instance, the use\n      of                                  and communication control on the telecom\n      devices reduces the likelihood that an attacker could stage a\n                                                   . The               which are not\n      required by policy, help to ensure that only\n                                                . Likewise, the use of\n                                                 partially mitigates the device\'s portability\n      and exposure to potential loss; the strength of the\n      nearly eliminates an attacker\'s ability to penetrate the device, even with direct\n      and unlimited access to the\n\n\n\n\n                                             Page 35\n\x0c'